This Privacy Policy describes how NexWeave, Inc. (“NexWeave”, “we”, “us”) collects, uses, shares, and protects Personal Information when you visit nexweave.ai, our portals, and our APIs (collectively, the “Service”). It applies to US and EU/UK residents and is designed to meet the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA/CPRA), and the EU AI Act (Regulation 2024/1689).
1. Data Controller & Contact
The data controller for the Service is NexWeave, Inc. You can reach us at [email protected]. For EU/UK residents, our appointed representative can be reached at the same address.
2. What We Collect
| Category | Examples | Legal basis |
|---|---|---|
| Account | Email, name, org name, org type, Clerk user ID | Contract performance (Art. 6(1)(b)) |
| AIRISK disclosure | Your AI use cases, jurisdictions, model inventory, production endpoints, governance practices (as you provide in AIRISK.md) | Contract performance |
| Insurance policies | PDF files you upload, extracted metadata, AI exclusion findings | Contract performance |
| AI Audit results | Screenshots + traces of automated navigation on URLs you provide, findings | Contract performance |
| Usage | Pages visited, feature usage, request logs, IP address | Legitimate interest (Art. 6(1)(f)) |
| Billing | Last 4 digits of card, billing address, invoices | Contract performance |
We do NOT intentionally collect: special-category data (race, religion, health, biometrics), data from children under 16, or any data we don’t need to provide the Service.
3. How We Use Your Data
- Provide, operate, and secure the Service.
- Run AI-powered analysis (Policy X-Ray, AI Audit, Web Scan) on your behalf.
- Route anonymized quote requests to participating brokers after you opt in.
- Respond to support requests and regulatory inquiries.
- Send transactional emails (password reset, broker activity notifications).
- Improve our product through aggregated, anonymized analytics.
We do NOT train AI models on your data, sell your data, or use your data for advertising.
4. AI Processing
The Service uses Anthropic’s Claude 3.5/4.5 Sonnet to analyze uploaded policies, your AIRISK disclosure, public web pages you designate, and other content you submit. Per our agreement with Anthropic, your content is not used to train Anthropic’s models.
AI-generated outputs (e.g. “this clause is an AI exclusion”) are estimates, not legal advice. You should always verify material findings with a licensed professional before acting. This complies with EU AI Act Article 50 (transparency obligations for AI systems).
5. Sharing with Third Parties
We share your Personal Information only with:
- Sub-processors acting on our instructions — see our Data Processing Agreement for the full list (Anthropic, Clerk, Stripe, AWS, Resend, Sentry).
- Brokers you authorize by submitting a quote request. Brokers who purchase an unlock see your firm profile, contact email, gap summary, and requested coverage. You can pause lead sharing at any time in your org settings.
- Legal authorities when required by law, subpoena, or to protect our rights, our users, or the public.
We do not sell your Personal Information. CCPA “sale” of data is disabled by default and can be explicitly opted out via Do Not Sell My Info.
6. Retention
| Category | Retention |
|---|---|
| Account data | Life of account + 30 days |
| AIRISK + findings | Life of account + 30 days |
| Policies (S3) | Life of account + 30 days |
| Audit screenshots | 90 days |
| Access logs | 12 months |
| Billing records | 7 years (IRS / HMRC) |
| LeadUnlock history | 7 years |
7. Your Rights
Regardless of where you live, you can:
- Access — export all data we hold on you via your org settings → “Export my data”.
- Rectify — edit your org profile, AIRISK, and policy metadata directly in the portal.
- Delete — delete your org via settings. All org-scoped data is removed within 30 days.
- Portability — the export is JSON + CSV.
- Object — opt out of analytics and lead sharing at any time.
EU/UK (GDPR) additional rights
- Restrict processing (Art. 18).
- Withdraw consent (Art. 7(3)).
- Lodge a complaint with your national supervisory authority.
- Object to automated decisions (Art. 22). NexWeave does not make legally significant decisions about you without human review.
California (CCPA/CPRA) additional rights
- Right to know — see Notice at Collection for the categories we collect, sources, and uses.
- Right to limit use of sensitive information — we don’t collect sensitive PI.
- Non-discrimination — exercising your rights doesn’t degrade the Service.
All requests go to [email protected] or the “Export my data” / “Delete my org” flows in the portal. We respond within 30 days.
8. Security
Data at rest is encrypted with AES-256 (AWS S3 + RDS). Data in transit uses TLS 1.2+. Secrets are managed in AWS Secrets Manager. Access to production data is limited to operators with multi-factor authentication. We are pursuing SOC 2 Type II; an internal access log records all sensitive reads.
9. International Transfers
We operate primarily in AWS us-east-1 (United States). For EU/UK data subjects, transfers rely on Standard Contractual Clauses (2021) with a Transfer Impact Assessment on file.
10. Children
The Service is not intended for users under 16. We do not knowingly collect data from children.
11. Changes to this Policy
We may update this Policy. Material changes will be notified by email to your account holder 30 days before taking effect.